01-29-2010 12:27 AM - edited 03-04-2019 07:20 AM
hello,
I have a 2811 router with 2 FastEthernet interfaces connected to two ISPs.
FA0 / 1 is connected to ISP-1
FA0 / 2 is connected to ISP-2,
I created two access-list ACL1 (for isp1) and ACL2 (for isp2) for 2 to nat differents range of two network connection.
Now, I plan configration for a PBR to automatically switch network ACL1 to isp2 out when the ISP-1 is down and vis-versa.
My problem is how to configure the "ip nat inside source list .. .." That when the PBR selected next-hop ISP-2, may also be ACL1 by nat in interface FA0 / 2 of the ISP-2.
How do I configure nat for that when the automatic failover to perform, the different network are accept in the "ip nat inside ..."?
Or it is there another way to do it?
This is a sample of initial config :
interface fastethernet 0/1
description ISP-1
ip address X.X.X.X 255.255.255.252
ip nat outside
interface fastethernet 0/2
description ISP-2
ip address X.X.X.X 255.255.255.252
ip nat outside
ip access-list standart ACL1
permit 192.168.1.0 0.0.0.255
ip access-list standart ACL2
permit 192.168.2.0 0.0.0.255
ip nat inside source list ACL1 interface fastethernet 0/1 overload
ip nat inside source list ACL2 interface fastethernet 0/2 overload
Thanks in advance.
01-29-2010 02:16 AM
hello,
I have a 2811 router with 2 FastEthernet interfaces connected to two ISPs.
FA0 / 1 is connected to ISP-1
FA0 / 2 is connected to ISP-2,
I created two access-list ACL1 (for isp1) and ACL2 (for isp2) for 2 to nat differents range of two network connection.
Now, I plan configration for a PBR to automatically switch network ACL1 to isp2 out when the ISP-1 is down and vis-versa.
My problem is how to configure the "ip nat inside source list .. .." That when the PBR selected next-hop ISP-2, may also be ACL1 by nat in interface FA0 / 2 of the ISP-2.
How do I configure nat for that when the automatic failover to perform, the different network are accept in the "ip nat inside ..."?
Or it is there another way to do it?
This is a sample of initial config :
interface fastethernet 0/1
description ISP-1
ip address X.X.X.X 255.255.255.252
ip nat outsideinterface fastethernet 0/2
description ISP-2
ip address X.X.X.X 255.255.255.252
ip nat outsideip access-list standart ACL1
permit 192.168.1.0 0.0.0.255ip access-list standart ACL2
permit 192.168.2.0 0.0.0.255ip nat inside source list ACL1 interface fastethernet 0/1 overload
ip nat inside source list ACL2 interface fastethernet 0/2 overload
Thanks in advance.
Hi,
Jose for your requirement with natting and PBR to workin single router create a route map permmitting those specific source and mark their destination as next hop interface in route map,check out the below sample config hope that clear out your query !!
ip policy route-map Nat-loop
ip nat inside source list 10 interface fastethernet 0/1 overload
ip nat inside source list 10 interface fastethernet 0/2 overload
access-list 102 permit ip any 192.168.2.0 0.0.0.255
route-map Nat-loop permit 10
match ip address 102
set ip next-hop first link ip
route-map Nat-loop permit 20
match ip address 102
set ip next-hop second link ip
Hope to help
Ganesh.H
01-29-2010 04:18 AM
thanks Ganesh.H,
If I understand you offered me the following config:
interface fastethernet 0/1
description ISP-1
ip address X.X.X.X 255.255.255.252
ip nat outside
interface fastethernet 0/2
description ISP-2
ip address X.X.X.X 255.255.255.252
ip nat outside
ip access-list standart ACL1
permit 192.168.1.0 0.0.0.255
ip access-list standart ACL2
permit 192.168.2.0 0.0.0.255
ip nat inside source list ACL1 interface fastethernet 0/1 overload
ip nat inside source list ACL2 interface fastethernet 0/1 overload
ip nat inside source list ACL2 interface fastethernet 0/2 overload
ip nat inside source list ACL1 interface fastethernet 0/2 overload
ip policy route-map Nat-loop
route-map Nat-loop permit 10
match ip address ACL1
set ip next-hop ISP-1 (ip address)
route-map Nat-loop permit 20
match ip address ACL2
set ip next-hop ISP-2 (ip address)
route-map Nat-loop permit 30
match ip address ACL1
set ip next-hop ISP-2 (ip address)
route-map Nat-loop permit 40
match ip address ACL2
set ip next-hop ISP-1 (ip address)
is ok?
Thanks.
01-29-2010 09:24 PM
Hi,
The configuration is for active/active use for ISP's.Route maps are executed in the order of the lowest sequence number to the highest. You can edit or modify maps by using the sequence number.If a match is found within a route map instance, execution of further route map instances stops.
So what i would suggest you to change the set criterea in route map and match only two route maps for you acls,check out the below sample config with explanation.
route-map PBR_LAN permit 10
match ip address ACL1
set interface Serial2/1 Serial2/0
in the same fashion create for acl2 and set next hop first as seril2/o (i mean secondary link first then primary link)
then we apply it to the LAN facing interface:
interface FastEthernet0/0
description LAN
ip policy route-map PBR_LAN
Note that we used two interface names in the set interface command: if S2/1 is down, IOS will use S2/0, so we have a small level of redundancy and WAN side fault-tolerance for Mission Critical Traffic. We can achieve fault-tolerance for LAN to WAN traffic too by adding an higher metric default route:
ip route 0.0.0.0 0.0.0.0 Serial2/1 10
Hope that clear your query !!
If helpful do rate !!
Ganesh.H
03-03-2010 08:34 AM
Thanks ganeshh.iyer
Indeed, I would like to make the dual homing with 2 ISP1 and my local area network divide in 2 and making automatic fallover when one isp failed.
My current confi:
ip sla 1
icmp-echo ISP1-IP source-ip 192.168.10.1
frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo ISP2-IP source-ip 192.168.20.1
frequency 10
ip sla schedule 2 life forever start-time now
track 122 rtr 2 reachability
delay down 10 up 30
!
track 111 rtr 1 reachability
delay down 10 up 30
interface GigabitEthernet0/0
description LAN
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip policy route-map test
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
description ISP1
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat outside
!
interface GigabitEthernet0/1.20
description ISP2
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 192.168.10.2
ip route 0.0.0.0 0.0.0.0 192.168.20.2
!
!
ip nat inside source list ISP1 interface GigabitEthernet0/1.10 overload
ip nat inside source list ISP2 interface GigabitEthernet0/1.20 overload
!
ip access-list standard ISP1
permit 10.10.10.5
permit 10.10.10.6
permit 10.10.10.10
permit 10.10.10.11
ip access-list standard ISP2
permit 10.10.10.100
permit 10.10.10.101
!
route-map test permit 10
match ip address ISP1
set ip next-hop verify-availability 192.168.10.2 10 track 111
set ip next-hop verify-availability 192.168.20.2 15 track 122
!
route-map test permit 20
match ip address ISP2
set ip next-hop verify-availability 192.168.20.2 10 track 122
set ip next-hop verify-availability 192.168.10.2 15 track 111
I explain : Some ip of the lan network goes out by the ISP1 and of the other one by the ISP2. When the isp1 connection does not work (the isp1-ip become unavailable ) any more, I would like that those going out by the ISP1 can automatically begin to go out by the ISP2
The problem is that when isp1 is not reachable, the traffic of the access list ISP1 does not manage to be to nat to pass on the connection ISP2. The failover does not work. What is wrong in the config and what can i do please?
Thanks in advance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: